Blogger’s Guide to HTTPS and SSL Certificates

By now even the most amateur Web user has noticed that some websites start with the traditional, http://, while others the slightly longer. https://. But far fewer realize the significance of that extra letter. Do you know what it means?

URLs that begin in, “https,” are encrypted to help prevent hackers from intercepting your data. If you haven’t figured it out yet, the extra “s” stands for security.

More specifically, https stands for Hypertext Transfer Protocol Secure, and the sites are encrypted using SSL, or Secure Sockets Layer. As more users began to engage in eCommerce and online banking, the demand for data integrity, security and confidentiality became paramount. Brands found it necessary to convert to the more secure protocol to compete for increasingly-conscientious consumers.

Because SSL promise a more secure Web, Google and other industry leaders began to encourage sites to migrate. The presence of SSL certificates became a ranking signal more than three years ago.

But with this month’s release of Chrome v62, Google will begin marking non-HTTPs that include text input fields – such as search bars or contact forms – with the label “NOT SECURE” in the address bar. Ouch! Bad news for bloggers who don’t engage in ecommerce but offer even a simple comment section or email sign-up form. Similar labels will be applied to sites that have outdated certificates.

SSL Basics

SSL Basics

What are SSL Certificates?

According to SSL.com, Secure Sockets Layer, “is the standard security technology for establishing an encrypted link between a web server and a browser.” This important link ensures that any data passing between a web and internet browsers remains securely private, inaccessible to hackers.

Millions of websites now use SSL certificates to protect the integrity of customer data and online transactions. How does it work?

When a user’s Internet browser – such as Chrome, Firefox or Safari – connects to a website’s server, the SSL certificate binds the two together with a connection so secure it cannot be seen by anyone but the website submitting data and the user entering it.

So that hacker who tries to place a listening program on the server? He or she captures nothing but scramble.

SSL certificates also tell users details of a website’s authenticity. When a visitor click’s their browser’s padlock symbol or trust mark while visiting a page, they can read details regarding the identify of the person, business or organization that owns the website.

History of Cryptology and SSL

People have been encrypting messages since ancient times, when leaders like Julius Caesar used a cipher to rearrange the order of letters in messages sent to his generals. Since each letter in the message was replaced by another a fixed number of positions away in the alphabet, the recipients could decipher the message, but eavesdroppers and hostile interceptors would have no idea what they were looking at.

Of course, modern cryptology is a bit more sophisticated. Ciphers used by computers can operate on large binary sequences and programs to instantly analyze encryption. In the mid-1970s IBM designed an algorithm that became the federal Data Encryption Standard, and other early data scientists published other key algorithms that supported more advanced cryptology.

SSL was originally developed by then-search giant Netscape in 1994 amid growing concern over cybersecurity. But because of some serious security flaws in version 1.0, the protocol was not publicly released until version 2.0 launched in 1995. It wasn’t until version 3.0 came along in 1996 that Netscape found the right formula, and later versions have been based on this third draft.

Technically, Secure Sockets Layer was replaced by Transport Layer Security protocols as early as 1999, but both are still generally referred to as SSL. The differences between the two was slight, but the privacy effects were significant and have only increased with each subsequent version. In fact, numerous updates have occurred over the years to respond both as weaknesses were recognized and as hackers found more sophisticated ways to crack the code.

Why the confusing name change? Remember that intense war between Netscape and its Navigator browser and Microsoft’s Internet Explorer? The one Microsoft ultimately and dramatically won? If you’re too young too recall, there was actually a time when Internet Explorer was crowned king.

At about the same time Netscape was working on version 3.0 of its SSL, Microsoft revised the flawed second version with its own protocol, one it named PCT. The budding internet community didn’t want a repeat of VHS vs. Betamax with two competing and incompatible protocols between which users must choose, so a deal was negotiated – one in which the competing tech companies would both support an open and standard protocol.

Microsoft, however, insisted on a new name, and TLS was born. Apparently, the joke was on Bill Gates, though, since the SSL label has stuck to this day.

SSL Benefits

SSL Benefits

Google’s changes to Chrome are really placing the heat on any blogger who hasn’t already migrated to https, but there’s plenty of additional value in SSL protocols. Obviously, if ecommerce occurs, https:// URLs lend to confident customers. And confident customers equal increased sales. Sites with a valid SSL certificate are immediately considered more trustworthy, credible and legitimate.

SSL not only protects’ the privacy of visitors’ information, but it helps ensure data integrity for a site owner. With a valid SSL certificate, bloggers can be assured that data input onto their site hasn’t been modified or corrupted during transfer. And with the rampant issue with phishing websites impersonating legitimate pages to steal visitors’ information, secured sites provide evidence to users that they are, in fact, in the right place.

SSL and SEO

But for the past few years, SSL has also affected the ever-important search ranking. Google factors security status in its infamous ranking algorithm, a development welcomed by bloggers who have already migrated. Secure websites are now placed higher in search results than those without SSL certificates, all other factors being equal.

In 2015 Google announced it would favor URLs beginning in https or http, under the following conditions:

The sitemap lists the HTTPS URL or doesn’t list the HTTP version of the URL.

The server has a valid TLS certificate.

Understanding these conditions is important for bloggers hoping to capitalize on their TLS certificates. If a website is migrated to https, but the page includes links to other sites that do not have a valid certificate, Google will not rank the page as secure. Likewise, sites will not receive the extra ranking if they include images, videos or other graphics tied to URLS that have not migrated to TLS.

Ahrefs tested the algorithmic update in early 2016. Blogger Christoph Engelhardt analyzed the top 10,000 domains to examine how much an https URL boosted their SERP rankings.

While he found that qualifying websites indeed benefited in their rankings, his research determined only 10 percent of websites actually featured a “flawless” https setup that meets all of Google’s qualifications for preference. And 60 percent of websites at that time still had not migrated to https whatsoever.

Later in 2016, Backlinko’s Brian Dean analyzed 1 million Google search results and found that a site’s overall link authority, based on meeting all of Google’s qualifications, strongly correlated with higher rankings.

But that wasn’t all. Dean’s determinations also included:

Backlinks are highly important Google ranking factors. The number of domains linking to a page influenced rankings more than any other factor.

HTTPS had a reasonably-strong correlation with first-page rankings.

Site speed is important. Based on Alexa data, pages on fast-loading sites ranking much higher than pages on slow-loading sites. Speed is an important consideration when choosing an SSL certificate.

Activating an SSL

Activating an SSL

Ready to migrate your blog to https? You first need to set up an SSL certificate for your website’s domain, then install it on the server and update all permalinks to an https URL. But before you can do any of that, you must decide what type of SSL certificate is most appropriate or your needs. It’s definitely not a one-size-fits-all scenario.

Types of SSL Certificate

Types of SSL certificates can be classified by their validation level and the number of secured domains that they cover. While some bloggers only need to migrate a single landing page to https, most website owners have at least a couple of landing pages and subdomains, not ot mention a separate URL for each of their blog entries.

SSL certificates also vary by their validity periods. While most standard certificates are available for one to two years before they must be renewed, longer-term advanced certificates are available for longer time periods.

The least expensive of paid SSL certificates, domain validation is just as its name implies. A website owner must validate ownership of the domain using email or by adding a DNS record. It can be obtained in just a few minutes, and it’s ideal for those who aren’t supporting a larger organization and don’t need additional security.

Organization Validation

The minimum required certification for e-commerce portals, the SSL certificate validates domain ownership, and usually takes 2-3 days to activate. Because the validation is completed by the certificate authority, it’s more secure than a DV certificate.

Extended Validation

Highly-recommended for websites where transactions are preformed, the certificate requires a strict authorization process that takes 7-10 days to complete. The certificate displays organizational information and offers a green HTTPS address bar that instills greater consumer confidence. Thus, EV certificates are most popular among banking, finance and e-commerce sites.

Single Name SSL Certificate

The certificate can only secure a single subdomain. Therefore, with this SSL certificate, the hypothetical URL example.domain.com can be secured, but not the coinciding example2.domain.com. Likewise, the main domain of domain.com would not be secured, either.

Wildcard SSL Certificate

The SSL certificate type secures unlimited subdomains for a single domain. Therefore, not only can domain.com be protected, but also example.domain.com, example2.domain.com, example3.domain.com and so on.

Additional divisions beyond the subdomain, however, are not included in the certificate’s protection. So, for example, test.example.domain.com would not be covered under a wildcard certificate.

Multi-domain SSL certificate.

The all-encompassing SSL certificate will secure all variations on a domain and its subdomains. It is highly recommended for site owners that want to secure multiple domains and subdomains.

7. Unified Communications Certificate

The UCC certificate can be thought of as the group discount SSL certificate. It allows a customer to protect as many as 100 domains using the same certificate. These are specifically designed to secure Microsoft Exchange and Office communications environments.

Registering a New SSL Certificate

Once you’ve determined the type of SSL certificate you need to migrate your blog to https, it’s time to purchase and activate the certificate. Some hosting companies such as Hubspot and WordPress offer their own migration programs, but a host of certificate authorities issue SSL protection, including SSLs.com, Media Temple, Namecheap, GoDaddy and Comodo.

If you’re on a budget but also tech-savvy, you can a acquire a free SSL certificate with Let’s Encrypt.

Once you obtain your SSL certificate, it’s time to install it on the server. The exact process of doing so will vary depending on your hosting environment and server setup. Check your host for details.

After the SSL certificate has been installed, its’ time to update all content references. Remember, for a Google SERP rating, all URLs on a page must adhere to TLS protocol. The easiest way to update internal links and redirects is by employing search-and-replace in a database and HTML code. Ensure that all URLS for images, scripts and other content are also updated.

After you’ve updated links, templates, images, tags and plugins, you’ll want to crawl the site and catch any URLs and tags that you might have missed. Searchengineland offers a detailed how-to guide that lists every possible script that might need updated.

Fortunately, Google has also updated its Webmaster Tools to better accommodate https sites and their analytics. Be sure you track any SSL migrations within Google Tools and through appropriate analytics software.

Renew an Existing Certificate

SSL renewals don’t happen automatically. If you’ve rec3eived notice that your existing certification will soon expire, it’s a good idea to renew it ahead of time. Otherwise, you might have to repurchase it as a new certificate. The exact process will vary depending on the certificate authority. Namecheap, for example, offers these steps to renew an SSL certificate.

Tips for painlessly migrating to https

It’s no longer any secret that encrypting website users’ information is not paramount to success. But Google Chrome now also visually penalizes websites that have not migrated to https://. Keep the following tips in mind when activating an SSL certificate for your blog:

As a precaution, create a full backup of your website before you begin installing an SSL certificate.

Use certificates with a minimum 2048-bit key.

If you have resources residing on the same secure domain, identify them with relative URLs.

Don’t’ block your https site from crawling using robots.txt or you won’t receive any SERP bonus from Google.

Allow search engines to index your pages whenever possible.

Change all of your internal links, including updating links to assets. Don’t’ forget links that may reside within CSS references, images and JavaScript files.

Make sure you include a canonical link within your <head>section so that traffic is properly redirected to the protected URL.

Add an extra link into your site configuration so that any traffic that tries to visit the original version of your website is automatically redirected to the https URL.

That’s the most comprehensive article I have seen on http and SSL certificates. To be honest I had assumed you just paid your $50 (or whatever) and auto-magically you were secure LOL. If only!

I also enjoyed the information on the history of SSL and the comparison with VHS vs Betamax. As one who backed the wrong horse in that race, it struck a chord.

A question, please: you mention that if the page includes links to other sites that do not have a valid certificate, Google will not rank the page as secure…… does this mean that comments left by http sites on https sites will negate the point of having https, until all commenting blogs use https?

Thank you for the comment,
Totally agree with you on security, it isn’t easy! Temok is one of the most secure web hosting company around and for that many steps are taken – which keeps our hosted websites safe.

That is a very important question, will let the Temok’s Tech team answer that,

HI Oleg, I did notice an uptick in traffic once I migrated to the https – I went through GoDaddy for mine and am very happy with it. I had my techie do it for me.
I have notice though when I comment on other websites I cannot use the https in my web address, comment luv does not work with it. But once I figured it out it was okay.
Love your description and how it all works for https as many bloggers do not quite grasp the importance of it. This post surely demonstrates the why and how 🙂
Thank you!

hey Joy,
Let me give you a clear picture about google ranking practices regarding SSL and Non-SSL domains.
If a website “example.com” has valid SSL certificate but when we navigate to its different links like promotions links and its not on valid SSL google ranking will be affected as google highly recommend to have valid SSL on site which is completely secured through SSL (secure socket layer). However, if someone comments your blog from simple HTTP blog /website without any valid SSL certificate that will not affect page rankings in google since its organic /unique traffic that can come up from any geological location.

Personally I think it doesn’t make any difference but you can always remove the link if you think that it may cause some damage to your website or if you feel that a particular comment doesn’t add any value to your actual article or isn’t really related to your article, you can delete the whole comment. If you are running a blog, it is recommended to moderate all the comments which are posted on your blog posts. This way it would be a certainty that you don’t have any spam comments on your blog with dodgy outgoing links that can be harmful to your website.

Hi Oleg, Thanks for this comprehensive writeup. I purchased an SSL certificate for my website a few years ago, but never did anything to transition to it. I was too afraid of broken links to do it myself and never got around to hiring anyone to help me do it.

Well, earlier this year, my site automagically started redirecting to the https version of my site. Go figure. I still don’t know how that happened!

AND, my traffic has soared. I am getting double the traffic of last year, mostly because of Google. So yes, it is worth switching, but I can’t tell you how it’s done.

Thanks for this great primer on SSL and https. I have transitioned a couple of my sites, but still have more to do. Unfortunately, I think I’m going to have to switch hosting companies for some of them so I’ve been puttingit off.

yeah, I guess this change from http to https will also mean a lot of changes to hosting – some hosts are cheaper and more helpful … compared to many others who won’t offer help and charge you more for this change!

Welcome to Temok and thank you for the comment,
Yeah, I guess we all need SSL now – not only it helps in providing security and keep our visitors and customers safe – it also boosts our rankings in the search results,

Hey, Oleg,
Its really a mind blowing post i have ever read on this topic. Basically, I was just aware of HTTPS and SSL certificate, but didn’t know all these things of SSL. True thing is that i have learned a lot of terms from your post. Many people like me can get huge knowledge of SSL if they read your post. I will definitely share this post with my friends. Thanks a lot and have a great weekend.

SSL or I can say HTTPs has become very popular among bloggers as it’s been one of the ranking factors in search engines. I already made a thought to buy a wildcard SSL certificate and will secure my domain, and it’s subdomains.

I request to share a guide or check-list or points to keep in mind while switching to HTTPs. If you have, then please pass it to us and that will be very grateful.

Hello Oleg Kaluger. Thanks for putting this post and all these information here. Recently I am planning to move onto https. It not only helps in security but also in branding and organic ranking.
Couple of things to take care of here are; use a permanent redirection from http to https, move all internal URLs from http to https, and improve site’s speed.